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Abstract 


Kleene algebra with tests (KAT) was introduced as an algebraic 
structure to model and reason about classic imperative programs, i.e. 
sequences of discrete transitions guarded by Boolean tests. This paper 
introduces two generalisations of this structure able to express programs 
as weighted transitions and tests with outcomes in non necessarily 
bivalent truth spaces: graded Kleene algebra with tests (GKAT) and a 
variant where tests are also idempotent (I-GKAT). In this context, and 
in analogy to Kozen’s encoding of Propositional Hoare Logic (PHL) in 
KAT we discuss the encoding of a graded PHL in I-GKAT and of its 
while-free fragment in GKAT. Moreover, to establish semantics for these 
structures four new algebras are defined: FSET(T), FREL(K,T) 
and FLANG(K,T) over complete residuated lattices kK and T, and 
M(n, A) over a GKAT or I-GKAT A. As a final exercise, the paper 
discusses some program equivalence proofs in a graded context. 
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1 Introduction 


1.1 Roadmap 


Kleene algebra is pervasive in Computer Science, applications ranging from 
semantics and logics of programs, to automata and formal language theory, as 
well as to the design and analysis of algorithms. Some recent examples deal 
with hybrid systems analysis [17], separation logic [5] and non-termination 
analysis [9]. As a program calculus, the axiomatisation of Kleene algebra 
forms a deductive system to manipulate programs [21]. Its applications 
typically deal with conventional, imperative programming constructs, namely 
conditionals and loops. Reasoning equationally about them entails the need 
for a notion of a test, which leads to the development of Kleene algebra 
with tests (KAT) [22] combining the expressiveness of Kleene algebra with 
a Boolean subalgebra to formalise tests. An alternative approach extends 
a Kleene algebra with both a domain and a codomain operation mapping 
transitions to propositions [8]. Contrary to KAT, the resulting structure is a 
one-sorted algebra. D. Kozen [21] proved that plain Kleene algebra is closed 
under the formation of square matrices, later extending this result to Kleene 
algebra with tests by considering a test a Boolean diagonal matrix. 

Hoare logic (HL) was the first formal system proposed for verification 
of programs. Introduced in 1969, its wide influence made it a cornerstone 
in program correctness. HL encompasses a syntax to reason about partial 
correctness assertions of the form {b}p{c}, called a Hoare triple, and a 
deductive system to reason about them [16], [12]. In a Hoare triple, b and c 
stand for predicates, representing the pre and post conditions, respectively, 
and p is a program statement. Propositional Hoare logic (PHL) is a fragment 
of HL, in which Hoare triples are reduced to static assertions about the 
underlying domain of computation [23], and therefore encoded in a Kleene 
algebra with tests. The translation maps Hoare triples to equations and the 
rules of inference into equational implications. 

As originally presented, KAT is suitable to reason about classic impera- 
tive programs. In fact, such programs are particularly “well tractable”: they 
represent a sequence of discrete steps, each of one can be modelled as an 
atomic transition in a standard automaton. Typically, these assertions have 
an outcome in a bivalent truth space. However, current complex, dynamic 
systems require new computing domains, namely probabilistic [30] or contin- 
uous [27], which entail the need for computing paradigms able to deal with 
some sort of weighted program executions. Actually, assertions about these 
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programs have often a graded outcome. 


In this context, the development of algebraic structures to model 
weighted computations becomes a must. Such computations, often as- 
sociated with notions of uncertainty, can be mathematically conceptualised 
in terms of the well established fuzzy set theory. Although a fuzzy set was 
initially defined as a mapping from a set X to the unit interval [0, 1] [37], it 
later evolved into a more generic concept, by replacing such an interval by 
an arbitrary complete distributive lattice L [13]. The later work constitutes 
a cornerstone in the study of algebraic formalisations of fuzzy concepts. M. 
Winter [34, 35, 36] follows this route through a categorical perspective. The 
work of J. Desharnais et al. [8] continued along distinct paths: one [11] 
proposes a new axiomatisation for domain and codomain operators, leading 
to algebras of domain elements of which Boolean and Heyting algebras 
are special cases; another [7] investigates notions of domain and codomain 
operators to provide applications in fuzzy relations and matrices, by using 
an idempotent left semiring as the base algebraic structure. 


This paper builds on such motivations to introduce two generalisations 
of KAT able to express programs as weighted computations and tests as 
predicates evaluated in a graded truth space - the graded Kleene algebra with 
tests (GKAT) and the idempotent graded Kleene algebra with tests (I-GKAT). 
GKAT has several interesting instances, from the continuous Lukasiewicz 
lattice to the discrete finite hoops. L-GKAT, on the other hand, is able to 
encode, with the exception of the assignment rule, the deductive system of 
PHL. In analogy to KAT [23], we discuss how to encode PHL into GKAT, 
therefore extending the classical scope of program correctness. However, this 
can only be entirely achieved for the fragment of while-free programs. To 
obtain a complete encoding of Hoare logic, there was a need to refine the 
basic structure. Thus, -LGKAT emerged as a subclass of GKAT, with, of 
course a smaller set of instances. This includes, in particular, lattice 3 to 
deal with partial programs and uncertainty on tests, and Gédel algebra, a 
well-known structure used in logics whose truth values are closed subsets of 
the interval [0, 1]. 


Extending KAT to the domain of weighted computation is the main 
motivation of this work. The paper extends some preliminary results docu- 
mented in our previous work [14] in distinct directions. First, we propose 
three algebraic constructions that represent models for both GKAT and 
I-GKAT: the set of all fuzzy sets, the set of all fuzzy relations and the set 
of all fuzzy languages, provided with the appropriate operators over the 
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elements for each case. Note that in modelling uncertainty fuzzy logic plays 
a very important role. It is known that the standard algebraic model for 
classic, bivalent logic, is a Boolean algebra, with a clear connection to the 
classic set theory. Similarly, as stated in [26], reasoning with uncertainty, as 
captured by fuzzy logic, is tied to fuzzy set theory. 

At a latter stage, we prove that both GKAT and I-GKAT enjoy a 
matricial construction similar to D. Kozen’s classical result [21]. This is 
indeed relevant as many problems modelled as labelled transition systems 
can be formulated as matrices over a Klenee algebra or a similar structure. 
Constructions are parametric on the concrete underlying lattice, as defined 
by R. Guillherme [15] for the case of fuzzy sets, relations and languages. 
Finally, we revisit in the weighted context some examples of equational 
proofs from the KAT seminal paper [22]. In particular, we show how to 
handle, in such a scenario, the result of denesting two nested while loops. 

The remainder of the paper is organised as follows: Subsection 1.2 
recapitulates some fundamental concepts. Section 2 introduces graded Kleene 
algebra with tests as a generalisation of KAT, detailing its axiomatisation, 
a few examples and proofs of basic properties. It also presents a partial 
encoding of classical PHL in GKAT. Section 3 introduces idempotent graded 
Kleene algebra with tests as another generalisation of the standard KAT 
and a refinement of GKAT, offering a complete encoding of PHL. Section 4 
presents fuzzy sets, fuzzy relations, fuzzy languages and n x n matrices, with 
the appropriate operations, as models of GKAT and I-GKAT. Section 5 
discusses some equational proofs for program equivalence in a graded scenario. 
Finally, Section 6 sums up related research, concludes, and enumerates some 
topics for future work. 


1.2 Preliminaries 
Definition 1 A Kleene algebra with tests (KAT) is a tuple 
es La » 50, 1) 


where T C K, 0 and 1 are constants in T, + and; are binary operators in 
both K and T, * is a unary operator in K, and ~ is a unary operator defined 
only on T such that: 


e (K,+,;,*,0,1) is a Kleene algebra; 


e (T,+,;,,0,1) is a Boolean algebra; 
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e (T,+,;,0,1) ts a subalgebra of (K,+,;,0,1). 


The elements of K, denoted by lower case letters p,q,r, 5,2, y,Z, stand for 
programs and the elements of 7’, denoted by a,b,c,d are called tests. Note 
also that operators + and ; correspond to the Boolean algebra operations of 
disjunction and conjunction, respectively. Kleene algebra with tests induces 
an abstract programming language, where conditionals and while loops 
programming constructs are encoded as follows: 


ifb then p “b:p +b 

if b then p else g = b;p +b; 

while b do p © (b;p)*;6 
The encoding of Propositional Hoare Logic (PHL) in KAT leads to an 
equational calculus to reason about Hoare triples. Recall that one such triple 
{b}p{c} is valid if whenever precondition b is met, the postcondition c is 


guaranteed to hold, upon the successful termination of program p. Classically, 
validity in PHL is established through the set of rules in Figure 1. 


e Composition rule: 


{b}ptc} {efata} 
{b}p; a{d} 


Conditional rule: 


{0A chptd}, {70 A chat a} 
{c} if b then p else q {d} 


While rule: 


{oA chpt{c} 
{c} while 6 do p{=b \ c} 


e Weakening and Strengthening rule: 


b' + b, {b}p{ck, cod 
{0} p{c'} 


Figure 1: Hoare Logic Rules. 
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A Hoare triple {b}p{c} is encoded in KAT as b;p;¢@ = 0, which is 
equivalent to b;p = 6;p;c. The first equation means, intuitively, that 
the execution of p with precondition b and postcondition ¢ does not halt. 
Equation b; p = b; p;c, on the other hand, states that the verification of the 
post condition c after the execution of b; p is redundant. PHL inference rules 
are encoded in KAT, as follows: 


e Composition: 
b;p = b;p;c \c;q = ¢;,9;d = b;p;q = bp; q;d 
e Conditional: 
bop=bopdAboq=bagqd>c(bspt+b:q) =a(bp+bq);d 


e While: 
ep =—bie pcs Cb: p)*; b= c(bp) "bebe 


e Weakening and Strengthening: 
UY <bAbp=bpjcAc<¢ SU;p=U;p;c 


where < refers to the partial order on K defined as p < q iffp+q=q. 


2 Graded Kleene Algebra with Tests 


2.1 The Basic Structure 


The approach proposed in this paper, to reason about program executions in 
a weighted, i.e. many-valued context, is based on redefining the interpretation 
of the assertions about programs. Since such assertions take the form of 
tests, we start by modifying the part of the axiomatisation of KAT that 
deals with properties of tests, i.e. the Boolean algebra (T,+,-, ,0,1). 

Instead of having a Boolean outcome, as in KAT, tests are graded, 
taking values from a truth space with more than two possible outcomes. 
As a consequence, the expression b;p represents a weighted execution of 
program p, guarded by the value of test b. This leads to the following 
generalisation of KAT: 
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Definition 2 A graded Kleene algebra with tests (GKAT) is a tuple 
(K, 5 05 5 - » 2,0, 1) 


where K and T are sets, with T C K, 0 and 1 are constants inT, + and; 
are binary operations in both K and T, * is a unary operator in K, and — is 
an operator only defined in T, satisfying the axioms in Figure 2. Relation < 
is induced by + in the usual way: p<q iffp+q=q. 


Again, programs are elements of K denoted by lower case letters p, 
q, 7, 8, Z, y, z and tests are elements of T’ denoted by a, b, c,d. Observe 
that a Kleene algebra is recovered by restricting the definition of GKAT 
to (K,T,+,;,*,0,1), axiomatised by (1)-(10). Note also that (T,+,;,0,1) 
is a subalgebra of (K,+,;,0,1). Differently from what happens in KAT, 
negation a, for a € T, is not explicitly denoted, although it can be derived 
asa— 0. 


p+(qtr) = (ptq@t+r (1) : ; 
p+q = qt+p (2) fe e . 
pilar) = (pia)sr (3) ena At % 
ee eee (4) Hips SS gp sr 0) 
mat) = (a+ 6) an Ae eae 
(p+q)ir = (pr) + (q; r) (6) Ach = ba (13) 
p.0 = 0;p=0 7) 


Figure 2: Axiomatisation of graded Kleene algebra with tests. 


Note that a Kleene algebra is usually characterised by three more equations: 


pt+p = p (14) 
p+0 = p (15) 
l+p;p = p (16) 


We resort to these equations to prove some results of this paper. However, 
as can be easily verified, they can be derived from the axiomatisation of 
Figure 2. 

Operators “+” and “;” in GKAT play a different role when acting 
on programs or tests. The former stands for non-deterministic choice over 
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programs, and a form of logical disjunction on tests. The latter is taken 
as sequential composition of actions when applied to elements of AK, and 
as a “multiplication” of tests when applied to elements of T. Finally, in 
the domain of programs, the constants 0 and 1 interpret the halt and skip 
commands, while when applied to tests, stand for logical constants false and 
true, respectively. Some operations are specific to only tests or programs. 
For instance, operation * stands for iterative execution of programs and 
operation — plays the role of logical implication over tests. 

A main particularity of the GKAT axiomatization concerns rules (12) 
and (13), which form a weakened version of the axiomatization of a Boolean 
algebra. It is also relevant to note that axiom 11, which allows to reason 
about operator —, is particular to GKAT. GKAT generalises KAT in the 
following sense: 


Lemma 1 Any KAT is a GKAT. 
Proof: For a fixed KAT 
A 1 (K,T,+,;,° » 9, 1) 


define 
M = (K,T,+,;,*,—,0,1) 


inheriting the operators +, ;, * and constants 0 and 1 from A. Let a > b:= 
a+, fora,beT. 

The crucial part of the proof verifies that axiom (11) holds for M, for 
all a,b,c € T. To see that, assume a;b < c. Then, 


a;b<e 

= { ; is the conjunction of tests} 
aN\b<e 

= { commutativity of A} 
bAa<ec 

= { test shunting} 
b<a@+ec 

= { definition of =} 
b<a-c 


We have just shown that axiom (11) holds for any a,b,c € T in M. 
Since axioms (1)-(10), (12), (13) are axioms of A, M is indeed a GKAT. 
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Example 1 (2 - the Boolean lattice). Our first example is the well-known 
binary structure 


2=({T, 13,47, 1},V,A",7,4,7) 


with the standard interpretation of Boolean connectives. Operator * maps 
each element of {1,1} to T and — corresponds to logical implication. 


Example 2 A second example is provided by the three-element linear lattice, 
which introduces an explicit denotation u for “unknown” (or “undefined”). 


3 = (41,0 Tate Woh, gals) 


where 
Vib aw. OF le Oe: ee 
uw 
ulu uu TT u}|tlu ou 
] ee |e ey ee 
>f[louit isa 
“il | i 
U Up ap Ts wu | T 
+/l out 


Example 3 For a fixed, finite set A, another instance of GKAT is 
24 — (P(A), P(A),U,," 4,0, A) 


where P(A) denotes the powerset of A, U and are set union and intersection, 
respectively, * maps each set X € P(A) into A, and X > Y = XC UY, 
where X° ={xc Ala d X}. 


Example 4 Another example is based on the well-known Lukasiewicz arith- 
metic lattice. 
£ = ((0, 1], [0, 1], maz, ©,* , >, 0,1) 


where x > y= min{1l,l—x+y}, cOy=mar{0,x+y—1} and* maps 
each point of the interval [0,1] to 1. 


Example 5 As another example, consider the standard I-algebra 


II = ((0, 1], [0, 1], maz, .,* , >, 0,1) 
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where . is the usual multiplication of real numbers, 


1, ifu<y 
pa te fy <2 
/ is real division and * maps each point of the interval [0,1] to 1. 
Example 6 A Gédel algebra is also an instance of GKAT. Actually, 
G = ((0, 1], [0, 1], max, min,* , >, 0,1) 


where 


and * maps each point of the interval [0, 1] to 1. 


Example 7 Let us consider now a GKAT endowing the finite Wajsberg hoop 
with a star operator [3]. For a fixed natural k and a generator a, one gets 


Wi = (Wk, Ws, are bi 0; 1) 


where W;, = {a°,a',...,a*-1}, 1 = a® and 0 = a®-!. Moreover, for any 
mn<k—la™+a"= qimin{mn} aq” = aminimtn kT} (ay = q? and 
a™ + qr= qmax{n—m,0} 


Example 8 The (min,+) Kleene algebra [19/, known as the tropical semir- 
ing, can be extended to a GKAT by adding residuation +. First, let Ri 
denote the set {x € R| x > 0} and adjoin co as a new constant. Thus, define 


R= (Ri, U {co}, Ry U {co}, min, +,* , >, 00, 0) 
where, for any x,y € Ri Uf{co}, 2* =0 and x > y = mar{y — x, 0}. 


Example 1 represents the algebraic semantics of classical two-valued 
logic, while Example 3 operates over sets. To reason in discrete multi- 
valued logics, examples 2 and 7 are pertinent. For the purpose of this work, 
i.e. for reasoning about graded computations and assertions in a multi- 
valued truth space, Examples 4, 5 and 6 are particularly relevant, since they 
correspond to well-known models for fuzzy and multi-valued logics. Note 
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that in all examples considered, T = K, that is, the set of tests and the set 
of programs coincide. 

As stated above, while tests in KAT have a binary outcome, such is 
not necessarily the case in GKAT in which tests are graded. This entails 
the need to weaken the Boolean subalgebra (T,+,;,*, ,0,1,) of KAT. In 
any GKAT, for any test a € T, a; (a > 0) = 0 which follows immediately 
from definition of < and axiom (11). However, it is not necessarily true that 
a+(a-—>0)=1. Let us illustrate this in the following example. 


Example 9 Consider the GKAT 
({0, n, mM, its {0, mm, is “PF; ; - > 0, 1) 


in which the operation * maps all points to the top element 1, and the 


remaining operations are defined as follows: 


RSet 
B3S3q0 
BPR3 3/3 
Hae sis 
RRR eR 
ooogo 

eons 
Scoogqs 
RRS Or 


O33 CHO 
ooods 
Sos 
BRO FR 


Clearly, a = m entails m + (m > 0) =m+m=m #1. It is therefore safe 
to state that GKAT has embedded a weakened Boolean subalgebra and, 
consequently, tests can assume a wider range of values, representing the 
truth degree of the statement “b holds”. Consequently, the expression b; p 
means that the execution of a program p is guarded by that particular truth 
(graded) value. 


2.2 Graded Propositional Hoare Logic 


Kleene algebra with tests provides a framework to reason about imperative 
programs in a (quasi) equational way. Actually, its classical presentation [23] 
aimed at the reduction of PHL to ordinary equations and quasi-equations, 
as mentioned in the introduction. In particular, the inference rules of Hoare 
logic are derived as theorems in KAT. 
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Similarly, let us explore a possible encoding of propositional Hoare 
logic into GKAT. Since this new structure deals with graded tests, both the 
meaning of Hoare triples and the inference rules need to be adjusted. This 
reinterpretation leads to a generalised version we shall refer to as graded 
propositional Hoare logic (GPHL). 

In the presence of graded tests, the interpretation of a triple {b}p{c}, 
and hence, the correctness of a program, relies on the idea that whenever 
b;p executes with truth degree b, if and when it halts, it is guaranteed 
that (b; p);c holds with at least the same degree of truth. By other words, 
correctness of a program can only grow with execution. Therefore, the 
encoding in GKAT is captured by the following inequality: 


bsp <b; pe 
Moreover, the equivalence 
bsp <b pic = bj p = db; p;c, (17) 


also holds in GKAT, following directly from (5), (12) and (4). Note, however, 
that the equivalence 


b;p = b;p;c & bsp < p;e 


does not hold in GKAT. 
The inference rules of Hoare logic are encoded in GKAT, as follows. 


Theorem 1 The following implications are theorems in GKAT. 


1. Composition rule: 


bp<bpeAgasaoqgd => bpq=bp,qd 


2. Conditional rule: 


bapsbhepd \ (b> 0; G¢< (b> 0;Gqd = 
c; (bp + (b > 0);¢) < G (bsp + (b> 0);q);d 


38. Weakening and Strengthening rule: 


Pstinhplipehecae SS tips hp 
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Proof: 


1. Composition rule: Let us assume that b;p < b;p;c and c;q < c3q;d. 
By (17), these inequalities are equivalent to b;p = b;p;c and c;q = 
c;q;d, respectively. So, we have 


bs D3 q = {eqs egd} 
= { b;p = b;p;c} bs pc q3d 
bs D3 C3 q = { bp = b;p;c} 
bsp; q3d 


2. Conditional rule: Assume b;c;p < b;c;p;d and (b > 0);¢,q < (b> 
0);c;q;d. First of all, observe that, for any p,q,r,s © K 


psqArss>pir<gqts (18) 


To prove this, assume that p< qgandr<s,ie. p+tq=qandr+s=s. 
Then, by (1) and (2), (p+r)+(q+s)=(pt+q)+(rt+s) = q+8. So, 
by (18), 


b;c;p+ (b> 0);¢q < b;,p;d+ (b> 0);¢,q,d. 
oS { (13), (5) and (6)} 
c; (b;p + (b > 0);¢) < G (bsp + (b> 0); q);d 


3. Weakening and Strengthening rule: Finally, observe that, for all 
bcE€T andpe kK, 


bp < b;p;e => bsp; (c+ 0) <0 (19) 
Using (17) to rewrite (19) as 

b;p = b;p;c => bp; (c + 0) =0 (20) 
and, assuming b; p = b; p;c, we have 


b; p; (e + 0) 


{ b; p = b; p;c assumption } 
bs p;e;{e => 0) 
{ a;(a > 0) =0) and (7)} 
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Using (20), the Weakening and Strengthening rule can be rewritten as 


a<bAb;p; (ce > 0) =0A (d> 0) < (Cc > 0) > a;p; (d > 0) = 0 


which follows from the monotonicity of “;”. 


The attentive reader certainly noticed the absence of an encoding of the 
While rule in the graded setting. In analogy with what was done before, 
such a rule would take the form: 


b;c;p <b; c;p;e => c; (b;p)*; (b > 0) < ¢ (b;p)*; (b> 0); (8B 3 0);e = (21) 


However, this is not necessarily true for all p € K and b,c € T. To see this, 
consider the GKAT structure of Example 9. If b = 0,c = m,p = 0, by (7) 
and (15), the instantiation of b;c;p < b;c;p;c boils down to 


0;m;0 + 0;m;0;m = 0;m;0;m & 0 =0 


and that of c;(b;p)*;(b > 0) < c(b;p)*;(b > 0);(b > 0);c¢ becomes, 
by (7), (4) and (15), 


mi(O)"3lbims(O) 1a m0)" 3 1 em Sr = 0 


Using these two equations, the equational implication which could represent 
the While rule (21), boils down to 0 = 0 > m = 0, which is obviously 
false. The next section addresses this problem, by proposing an alternative 
algebraic structure able to accommodate a complete encoding of Hoare logic. 


3 Idempotent Graded Kleene Algebra with Tests 


3.1 The Basic Structure 


By carefully observing the encoding of the PHL while rule in KAT, it 
becomes apparent that one cause of failure of an analogous encoding in 
GKAT, mentioned in the previous section, is the impossibility of duplicating 
graded tests. Actually, in GKAT, };b = b does not hold, but only 6;b < 6 
instead. The solution proposed here is to refine the GKAT structure with 
some additional properties such that, i) it allows for a complete encoding of 
Hoare logic and, at the same time, ii) captures non-classical examples, with 
some degrees of uncertainty in program execution and evaluation of tests. 
The idea is to resort to a stronger algebra to model the tests, instead of the 
Boolean algebra implicitly used in KAT. 
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Definition 3 An idempotent graded Kleene algebra with tests (I-GKAT) 
is a tuple 
(i spa 540) 1) 


where K and T are sets, with T C K, 0 and 1 are constants inT, + and; 
are binary operations in both K and T,* is a unary operator in K, and > 
is an operator only defined in T, satisfying the axioms in Figure 2 plus the 
axiom below: 

aja=a (22) 


Note that, as in GKAT, negation is not explicitly denoted, but can be 
derived as a > 0. 

The following result establishes I-GKAT as a strict subclass of GKAT, 
as well as another generalisation of KAT. Examples 1, 2, 3 and 6 are instances 
of I-GKAT. Figure 3 sums up our results. 


Figure 3: Examples of KAT, GKAT and I-GKAT. 


Lemma 2 Any KAT is a I-GKAT, which in turn is also a GKAT. 


Proof: It suffices to show that axiom (11) holds for all a,b,c € T. The 
proof is similar to that of Lemma 1. 
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I-GKAT provides a setting to discuss the behaviour of programs guarded 
by tests in an uncertain execution. For instance, in Example 2, if b = u, 
expression u;p means that one cannot be sure whether program p can be 
executed or not. 


3.2 Propositional Hoare Logic in IT-GKAT 


Let us now discuss how to encode propositional Hoare logic in I-GKAT. 
Differently from what happens in GKAT, the three encodings proposed 
by D. Kozen for Hoare logic are equivalent in I-GKAT: 


bp=b p;cs bsp < bj p;eS bsp < pre 


Hence, the inference rules of Hoare logic can be encoded in I-GKAT as they 
are in classical propositional Hoare logic. 


Theorem 2 The following implication is a theorem in I-GKAT. 


bapsbape > &(bp)"; (b> 0) <& (b;p)"; (6 > 0); (6 > Oe 


Proof: Assume, by (13), 


bop<bopes chp <cbp;e (23) 


Let us start by proving 


e+; (b; p)*;c;b; p < { by distributivity} 
< { by (23)} e; (1 + (bpp) sc. bip re 
c+; (b; p)*; cb; p;c < { by monotonicity} 
< { by (22) and (4)} G (ie (0 py". bp) re 
Cet Gh.p) 6 ope) | Ss { by (16)} 
Gbepy se 
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But 


e+c;(b;p)*;c,b;p < c (b;p)*;e¢ 


> { (10)} 

ce (bip)” <G.(b;p)*5e 
=> { monotonicity of ;} 

G (ip); (6 0) = G (6; pp)" (b= 0) 
= { (13)} 


4 Illustration: Fuzzy Sets, Fuzzy Relations, Fuzzy 
Languages and Matrices as GKAT/I-GKAT 


4.1 Preliminaries 


This section illustrates both GKAT and I-GKAT constructions by discussing 
how they can be developed over fuzzy sets, fuzzy relations, fuzzy languages 
and matrices. 


Definition 4 Given a set X and a complete residuated lattice W over 
carrier W, a fuzzy subset of X is a function p: X > W; v(x) defines the 
membership degree of x in y. 


Definition 5 Let X 1, Xo,...,Xn be sets. A fuzzy relation yz between X1, 
X9Q,...,Xn is a fuzzy subset of the Cartesian product X, x X2g x --- xX Xn. 


For each 21 € X1,%2 € Xo,...,2n € Xn, p(®1,£2,...,2%n) can be 
interpreted as the truth value of how elements x1,22,...,%7 are related 
by p. Therefore, as fuzzy sets model collections of objects, fuzzy relations 
model relationships between objects up to some membership degree. For 
the purpose of this work, we consider only binary fuzzy relations. So, every 
time we mention the term fuzzy relation, we are referring to fuzzy subsets of 
the Cartesian product X, x Xo. 
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Definition 6 Let © be an alphabet, W the carrier of a complete residuated 
lattice W, and consider %:* the set of words over %. A fuzzy language over ¥ 
is a fuzzy subset of &*, that is, a function A: * + W. 


Note that all the above concepts are defined over a complete residuated 
lattice. One one hand, a complete lattice is needed to guarantee the existence 
of suprema for all subsets of W. On the other hand, the residuum —> is 
used in the context of this work to define a generalised negation for the 
values of W. 


4.2 Building GKAT and I-GKAT Structures 


Consider two complete residuated lattices K and T over, respectively, car- 
riers K and T. Fuzzy sets, fuzzy relations and fuzzy languages may be 
presented as functions from their domain to, respectively, kK and T. We 
denote by + the supremum of K, and operators ; and — satisfying the 
axioms (1)-(7) and (11) of Figure 2. We use the same notation for operators 
of T satisfying (1)-(7) plus (11)-(13). Since + and ; are associative, we 
can generalise them to n-ary operators and use the notation 5> and |] to 
represent their iterated versions, respectively. For the specific constructions 
presented in this section (as given in Definitions 7, 8 and 9), we assume 
both K and T to be complete residuated lattices, ensuring that the following 


properties hold: 
a; (32 bi) = Said) (24) 


iel iel 
(S>bi);a = So (bj;a) (25) 
ie! ie] 


where I is a (possibly infinite) index set. To formalise these structures as 
I-GKAT, we consider ; to be also idempotent, i.e. satisfying (22). 


Definition 7 Let X be a set and T a complete residuated lattice over 
carrier T. The algebra of fuzzy sets over T is the structure 


FSET(T) = (T*,T*,U, ®,*,>,2,x) 


where T* is the set of all fuzzy sets over X and, for all y,w € TX and 
x € X, operators are defined pointwise by 
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with p(x) = x(x) and y*t!(xz) = (p* @ y)(x). The values of fuzzy sets, 
p(x) and w(x), are elements of T, and 0,1 are, respectively, the least and 
greatest elements of T. The partial order C for fuzzy sets is given by 


yp Cpevre X.y(z) < ¥(2),9,b € T* 


where < is the order of Definition 2. 


Note that, in this definition, the two sets of the signature of FSET(T) 
coincide, both defined as functions with codomain T’. 


Relevant research which supports our next contributions can be found 
in reference [1]. In the paper, the authors prove that the family of L-fuzzy 
sets over a set X is a complete lattice, with relation to the same order of 
Definition 7. Our next result extends such a contribution with the proofs of 
operations * and >. 


Theorem 3 For any complete residuated lattice T satisfying (13), FSET(T) 
forms a GKAT. If T satisfies (22), FSET(T) forms a I-GKAT. 


Proof: Considering the way that the elements of T* and the operators U, ® 
and —> are defined, it is straightforward to verify that axioms (1) to (7) 
and (11) to (13), plus (22) for -GKAT, are satisfied. We prove that axioms 
dealing with operator * ((8), (9)) hold as well. Axiom (10) can be proved 
analogously to (9). 


160 L. Gomes, A. Madeira, L.S. Barbosa 


Axiom (8): 


(xU (¥ @ ¥*))(z) 
{ definition of T* } 
x(x) + p(x); e*(z) 
= { definition of y*(a)} 
x(x) + v(2); QUe>o g* (2) 


{ definition of >} 


= { definition of prt (ar)} 


x(x) + p(x) + 9*(2) + 
= { definition of >} 


y* (x) 


Axiom (9) 
Let us assume (y @ w)(x) < (az), ie. v(x); ~(x) < Y(2), by definition of 
the operators on fuzzy sets. Moreover, 


(y* @ p)(z) 

= { definitions of * and @} 
(eso 9" (a); O(a) = { (25) and (4)} 

- { definition of >} w(x) + v(x); (x) +--- 
(p(x) + y'(z) +--+); ¥(z) 


By hypothesis and given that y(z);y(x) < v(x), for all v(x) € T, we 
conclude that 


w(x) + v(x); W(x) +--- < oz) 


A similar approach can be followed in the case of fuzzy relations. We start 
by defining an algebra of such relations over complete residuated lattices K 
and T. 


Definition 8 Let X be a set, K and T complete residuated lattices (T 
satisfies (13)) over, respectively, carriers K and T. The algebra of fuzzy 
relations over K and T is defined as 


FREL(K, T) = (K***,T*** U,0,*,, @, A) 


K*** is the set of all fuzzy relations over X x X, the elements of 


are diagonal fuzzy relations, i.e. fuzzy relations o such that o(x,y) = 0 


where 
TXxXX 
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whenever « # y. Moreover, for all u,v € K***, o,n € T***, 2, y,z2 € X, 
the operators are defined by 


(uUv)(z,y) = p(z,y)+v(z,y) 
(uov\(a,y) = S- u(a,2);r(2,y) 
ZEX 
(u*)(a,y) = So puk(a,y) 
k>0 
(7 Est ”) (2, y) = Hg ‘ - me a cm 
@(x,y) = 0 


0, otherwise 


Apa = f ieee 


with p(x,y) = A(z,y), w**(a,y) = (u* o p)(2,y). The values of fuzzy 
relations, u(x,y) and v(x, y), are elements of K, the values of o(x,y) and 
n(x,y) are elements of T, and, finally, constants 0,1 are the least and the 
greatest elements of T. Similarly to the previous one, the partial order C for 
fuzzy relations is given by 


wCvueV(a,y) eX x Xpu(x,y) < v(a,y), u,v € K*** 
where < is the order referred in Definition 2. 


Theorem 4 Given complete residuated lattices K and T (T satisfies (13)), 
FREL(K,T) is a GKAT. If T satisfies (22), then FREL(K, T) is also a 
I-GKAT. 


Proof: The validity of (1) and (2) follows immediately from the defini- 
tions of operators on fuzzy relations. Let py, v,€ € K*** and z,y,z,w € X. 


Axiom (3): 


((wov)o€)(x,y) 


= { definition of o} 


YO H@, v) vw, 2); Ey) 


zEX WwWExX 
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{ definition of > and z,w;i € X,1<i< n} 
(u(x, wi); (wr, 21) +--+ + WC, Wn); Y(Wn, 21))5 (zy) + °° 
+(u(2, w1); v(wi, Zn) goes u(x, Wn); V(Wn, 2n)); E(Zn, y) 
= ——_{ (25) and (3)} 
L(x, w1); (v(wi, zi)s€(21;9)) ape cei ape pee; Wn); (V(wn, 21)3€(21, y)) sa 
+ p(x, wr); (V(w1, en); § (en, y)) +o + wa, wn); (Y(Wn, 2); € (Zn, 9) 
= — { (2) and (24)} 
p(x, wr); (Y(wr, 21)3 (zi, y) +--+ (wr, Zn); &(2nsy)) + 
+u(z, Wn); (U(Wn, 21); E(21,y) aa V(Wn, Zn); E(Zn,Y)) 
= { definition of 37} 
Sy (alee, w)s (So vw, 2)s€2.9)))) 
wEex zExX 


= { definition of o} 


(uo (v0 €)) (x,y) 
Axiom (4): 
(uo A)(x,y) 
= { definition of o} 
Nex p(x, z);A(z,y) 
= { definition of S> and z; € X,1<i< n} 
pile, can A(z1,y) ape eae ua, Bi) A(Zn, ¥) 
= { definition of A} 
w(x, 21); 1+ +++ + wa, 2n)31, 
forall A(z.y) =i x7 an 
= { (4)} 
u(x, 21) 7 eee u(x, Zn) 
{ definition of u} 
(x,y) 


Axiom (5): 
(wo (vUE))(a, y) 
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{ definitions of o and u} 
So ula, 2); (V2.9) + E(,9)) 
zEx 
— { definition of \> and 2 € X,1<i< n} 
w(x, 21); (Y(z1,y) + (21, y)) +++ + Me, en); (UCEn, y) + ECEns y)) 
= { (5)} 
w(x, 21); V(z1,y) + wa, 21)3€(Z1,y) +. 
+p(X, 2n)3 (Zn, y) + M2, Zn); €(2ns Y) 
= { (2)} 
w(x, 21); V(21,y) ++++ + W®, 2n)sY(Ens¥) 
+p(x, 21); €(z1,y) +++ + wa, Zn); E(2n, y) 
= { definition of >} 


do wa, 2); H(z.) + D5 we, 2)3¥(z,9) 


zEx ZEX 


= { definitions of o and U on fuzzy relations } 
((uov) U (mo €))(a,y) 


Axioms (6) to (10): The proof of Axiom (6) is analogous. Axiom (7) follows 
straightforwardly, since @(x,y) = 0 is the absorbent element of ; over K. 
Axioms (8)-(10) are proved as in Theorem 3, but, of course, taking the 
definition of composition of fuzzy relations, i.e. 


(wov)(e,y) = So wle,z):r(2,y) 


zEX 


for all u,v € K***. As in Theorem 3, we only verify axioms (8) and (9). 
The validity of (10) is left for the reader, since the arguments used are 
essentially the same of (9). 


Axiom (8): 


(AU (Ho #*))(x,y) 
= { definition of U, o and aa 
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A(e,y) + So (ule, 2); (So w*(z,9))) 


ZEX k>0 
_ { definition of u} 
A(a,y) + 55 (u(x, 2); w(z,y) + wa, 2); (2,9) +--+) 
ZEX 
— { definition of S* and z% € X,1<i< n} 
A(x, y) + w(x, 21); w(z1,y) + w(e, 21); w(z1,y) +> 
+2, 2); EO (2ns y) + W(t, 2n); H(2ns y) +o 
= { definition of prt 
A(z, y) + w(z,y) + w(z,y) +--+ + we,y) + w(a,y) +--- 
= — { (2) and (14)} 
A(z, y) + w(z,y) + w(z,y) ++ 
_ { definition of ey 


w(x, y) 


Axiom (9): We assume the left side of the implication of (9) for elements 


(uov)(x,y) <v(@,y) & D> wa, z);¥(z,y) <v(@,y) 
zZEX 


by definition of o on fuzzy relations. 


(u* ov)(x,y) 
= { definitions of o and *} (26) 


+ (Keay) 


zEX k>0 


{ definition of 37, (25) and z% € X,1<i<n} (27) 


B(x, 21); v(21,y) + we, a1) Y(21,y) +o 


28 
+p (2, Zn); (Za, y) + w(2, Zn); UV (Zn y) + oe 


Resorting to (2) and the hypothesis, the terms of (28) are re-organised as 
follows. For k = 0 
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p(x, 21); (21, Y) Fo + WO(@, en) Vrs) S (ay) 
and for k = 1 
M(x, 21); U (215 Y) +o + M(@, en) Ulery) S U(@,y): 
Each term p*(zx, 2;);v(zi,y), for k > 2, for each z;, 1 <i <n, becomes 


(10-+-op)(a, x);V(z1,y) = So (+ D2 (ua, w"); uw", w*)); +s w(w", 24); (zy) 


wlex wkex 


Using (25), (3) and the hypothesis, we can simplify the expression and 
prove (9). As an example, the term for & = 2, for each z;, 1 <i < k is com- 
puted as follows; generalisation to other values for k being straightforward. 
pole, 2); (zi, y) 
= { definition of pu’ of Definition 8} 
(10 f1)(x, 21); ¥(zi, y) 
— { definition of o} 
(Swex (u(z, w); u(w, 2)))s 4 (zy) 
= { definition of S> and wi € X,1<i< n} 
(u(x, wi); w(wi, %) +++ + we, Wn); H(Wn, %))s Vv (zi, Y) 
= { (25) and (3) } 
p(x, wr); (w(wi, 22); ¥(2i,y)) +--+ + we, wn); (U(wn, 24) V (zy) 
{ L(x, z);v(z,y) < v(z,y) for all x,y,z € X and monotonicity of ; and +} 


IA 


p(x, wi); Y(wi,y) +o + WO, Wn) U(Wn, Y) 
= { hypothesis} 
Dwex H(z, w);v(w,y) < v(x, y) 
So, we prove that (28) becomes v(x, y) +---+v(a,y), reduced by (14) to 
v(x, y): 


Axiom (11) (“S”): Let o, n, 0 € T*** and assume 


(con)(a,y) < O(a, y) 


= { definition of o} 
Dizex (2,2); n(2,4) < O(a, y) 
ca { definition of 37 and z; € X,1<i<n} 


a(x, 21);n(21,y) +++ +o(2, 2n); nen, y) < A(z, y) 
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Since o(2, zi), n(zi,y) € T***, there is, at most, one 1 < i <n such 
that « = z; and z; = y. 

So, o(2, 21); n(z1,y) +--+ +0(2, 2n); Ens y) = O(@, a); (ay) S A(z, y), 
for the only 1 < i < n such that x = z; and z; = y. Since o(z, %), 
n(zi,y) and O(z,y) € T, by (11) on T, o(a, %);n(%,y) < A(x, y) implies 
n(x, y) < a(x, y) > O(x,y). The proof of (“<=”) is analogous. 


Axiom (12): The proof of (12) is trivial, since o(z,y) < 1 = A(z, y), for all 
o(x,y) € TX**, 


Axiom (13): First observe that 
(oon)(#, 9) 
= { definition of o} 
Tee CAC a); n(z, y) 
— { definition of S> and z; € X,1<i< n} 
o(#, 21);m(Z1,y) +++ + O(a, 2n); M(2ns¥)s 
for all o(2, 2:), (zi, y) £0, with l<i<n 


Clearly « = z; = y, using the definition of o(a, y), for allo €¢ T***. Thus, 
the proof follows directly from (13) for elements of T, as shown below. 


mx, 21); 0(21,y) +++ + (2, 2n)3 O(2n,¥) 
= { definition of 7} 

vex n(a, 2); a(z, y) 
— { definition of o} 

(70 0)(x,y) 


To prove that FREL(T) is also a I-GKAT, for any complete residuated 
lattice T, we need to prove axiom (22). 


Axiom (22): 


(7 00)(z,y) 
{ definition of o} 
Deex O(2,y); 0(2,y) 
{ definition of S> and z; € X,1<i< n} 


o(@, 21); 0(21,y) +++* + 0(@; Zn); o(2ns¥) 
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Again, o(x,y) + o(2, 21); n(z1,y) + +++ + o(2, 2n); n(2n,y) reduces to 
(232): 6,4), tor the only 1 >< 2 <n stich: that ¢ = 2°] 4. But 
a(&, %);0(Zi,y) = a(x, y), by (22), since a(x, 2%), 0(z,y) e?, 


Definition 9 Let be an alphabet, &* the set of all words over % and K, T 
complete residuated lattices (T satisfies (22)). The algebra of fuzzy languages 
over K, T is defined as 


FLANG(K, T) = (K~’,T*’,U,-,* ,>, 2,6) 


where K~” stands for the set of all fuzzy languages over S, the elements 
of T~ are languages defined by 


a, ifa,...ad, =e, with e being the empty word 
Okie = 


0, otherwise 


where a € T and, for all \1,A2 € K™ and all 4,12 € T™, given a word 
a,...Qn € &*, the operators U, -,*, >, @ and e are defined as: 


(Ay U A2)(a1 “Ba Gs) 


Ai (a1 sea 2Gh7) + A2(a4 of Sis) 


n-1 
(Ay 7 A2)(a1 oe Gas) = 2 Ai (a1 sists ia, 3 A2(ai41 tes Gn) 
i=1 
CO laieGe) = SoM (a1 80m) 
k>0 


Te keen (¢1 (ay an a; 4) => 12 (a4 svete Ga) hse < n, 


if ay...aj-1 = € 


(U1 =H. 12) (a; ee Gn) 
0, otherwise 


0 
) \ if ay...dyn =€, with € being the empty word 
ix Gig )) = 


@(a1...@n) 


0 otherwise 


Ut: NO (Oa cGy) = €(Oy onsen) and APT ay cag) = 0A") (ak citing | 
The values of fuzzy sets, \1(a1...@n) and A2(a1...an), are elements of K, 
and 0, 1 are the least and greatest elements of T.The partial order C for 
fuzzy languages is given by 


Ay C Ag @ Vaz... An € Aq (a4 +n) < A2(a4 eos Qn), A1, 2 E ie 


where < is the order of Definition 2. 
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Theorem 5 Given complete residuated lattices K and T (T satisfies (13) 
and (22)), FLANG(K,T) is a LGKAT. 


Proof: Since a fuzzy language is a fuzzy subset of a set of elements (in 
this case, the alphabet ©*) and the operators U and * are defined as U and * 
in FSET(T), respectively, and - as o in FREL(K, T), the proof is identical 
to that of Theorem 3 for operators U and *, and to that of Theorem 4 for 
the - operator. 

It remains to prove axiom (11): Take 11,12,13 € T™ and v € D*. 
Consider first the case v F €. 

Assuming (41 -42)(v) < ¢3() > D2, a» 41 (V1); 42(v2) < o3(v) = e3(v) = 0 
we want to prove that to(v) < (41 > 23)(v). But, by definition of » and —, 
to(v) < (41 3 e3)(v) BO < 0. 

Consider now v = «. We want to prove that 


(41 - b2)(€) < bg (€) > tole) < (41 > 23) (€) 


to(€) < (41 — 43) (€) 


= { definition of =} 
to(e) < TI, (41(u) — 03 (ue)) 

= { definition of []} 
tale) < (t1 (ur) — o3(ure));.--5 (1 (Un—1) > #3(Un—1€)); (41(€) + ¢3(€€)), 
U1,-+-,Un-1 FE 

= { definition of u} 
to(€) < (0-4 0);...;(0 > 0); (ea (€) > 23(€)) 

= { 0 > 0=1 for all integral lattices ([24]) and (4)} 
toe) < u(e) > ea(€) 

e {an} 
t1(€); 42(€) < eae) 

= { definition of -} 


(u1 - ba) (€) < e3(€) 


Now we present the construction of matrices over a GKAT and I-GKAT. 
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Definition 10 Let A = (K,T,+,;,*,—,0,1) be a GKAT (or a I-GKAT). 
The algebra consisting of the family M(n, K) of n x n matrices over A is 
defined as 


M(n, A) at (M(n, k), A(n, P), +, ; ‘ ae On, In) 
where + and; stand for the usual matrix addition and multiplication, respec- 
tively; On is then x n matria of zeros and I, then x n identity matrix. The 
subalgebra is the set A(n,T) of n x n diagonal matrices, with operators + 
and ; and matrices 0, and I, defined in the same way. The entries of the 
diagonal matrices are elements of the subalgebra (T,+,;,0,1) of GKAT (or 
I-GKAT) A. Finally, operation — is defined as: 


0 otherwise 


A-~ B= 
Theorem 6 M(n, A) is a GKAT and a I-GKAT. 
Proof: It was already proved by Kozen [21] that the structure 
(M(n, K), +53," On, In) 
forms a Kleene algebra. Then, it remains to prove that 
(A(n, T), +55, On, In) 


is the subalgebra of Definition 2, i. e. satisfies the axioms (11)-(13). 


Gir O i= (0) by O -:- 0 
tat A= 0 a2 0 _ B= 0 boo 0 
oF a a 4 Sasedimn etha os 
cy. = OOO 0 
and C= 0 cr 
a Seas 5 Nigeid abs ie 


be elements of A(n,T). 
For (11) we prove that A; B+ C=C>B+A>C=A-C. Using 
the definitions of the operators, we obtain 
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CLL 0 0 
_ 0 C22 0 
0 0 Ca 


which is equivalent to 


a1; 611 +¢11 0 vee 0 c1—COO 0 
0 a2; b22 +22 +°° 0 _ | 0 0 
0 0 Anns b22 + Cnn 0 0 Cnn 


In order for two matrices to be equal, their elements must be equal in the 
corresponding positions. So, the assumption is 


aq13 611 +11 = C11 


a2; b22 + C22 = C22 


ann On Ca = Can 


We have to prove that 


bi4 0 0 aQt1 0 0 C11 0 0 
0 bop : 0 a0 0 a22 0 ak 0 C22 0 
yor aah a wade oe PaaS | sia sel dcp ale — 
aii 0 0 Cll 0 0 

_ 0 a2 0 = 0 C22 0 
ro rie gee jacevens eee - 
bit+an cu 0 0 

oe 0 boo + ao2 > C22 ++ 0 

0 0 boo + az2 > C22 
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a14— C11 0 0 
= 0 a22 —> C22 0 
0 0 Ann > Cnn 


bi + @11 > C1 = a1 > C11 


boo + a22 > C22 = a22 > C22 


One hee = Ga = Gan SS an 


But, since a;;,bj;,cij € T for all 1 <i,j <n it is verified by axiom (11) of 
GKAT that 


ay; 611 + C11 = C11 > O11 +11 9 C1 = a1 > C11 


a9; bo2 + C22 = C22 => beg + a22 — C22 = 22 + C22 


ann; One + an = Ge > Gan + Gan SS Gan = Oa Ga 


The proof for < is similar. The proofs of axioms (12) and (13) are 
analogous, using the definitions of the operators over elemtents of A(n,T). 
Note, in particular, the proof of axiom (13). It is well known that the 
multiplication of matrices is not commutative. However, since axiom (13) 
is only applied to elements of A(n,T), that is, diagonal matrices, and the 
multiplication of diagonal matrices is commutative, this axiom is valid for 
all GKAT. 

To prove that this also forms a I-GKAT, it suffices to show the validity 
of (22). The proof is similar to the one presented for GKAT, for all A, B,C € 
A(n,T), using the definitions of the operators over elements of A(n, T). 


5 A Folk Theorem Adapted to a Graded Scenario 


This section illustrates our constructions revisiting a result on denesting two 
nested while loops [22], in a scenario where both assertions and computations 
are expressed in a weighted context. Most proofs in D. Kozen’s paper [22] 
rely on the use of a commutativity condition (b; p = p;b) which asserts that 
the execution of program p does not modify the value of test b. In KAT, 
it is possible to argue, as well, that if p does not affect b, neither should it 
affect b, which is formally stated through the following lemma: 
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Lemma 3 In any Kleene algebra with tests the following are equivalent: 
(1) b;p = p;b 
(2) bp = pb 
(3) b;p;b + b; pb =0 


In GKAT, however, negation is relaxed and expressed as a > 0, for alla € T. 
So, the conditions above must be written as 


(1) bsp = p;b 
(2) (b + 0);p = p; (6 > 0) 
(3) b;p; (6 + 0) + (b> 0); p;b = 0 
However, it is important to note that not all implications hold in GKAT. 


Lemma 4 (1) © (2) does not hold in GKAT. 


Proof: This can be shown by the following counter example: a GK AT over 
the set {0,n,m,1}, with {0,m,1} C T and n € K, in which the operator * 
maps all points to the top element 1 and the remaining operators are defined 
as follows: 


RFR 3O+ 
PS3cao 
P33 3/8 
R33 3/8 
RPReEHE 
oooqQo 
ssoods 
SOS 
BP3S30r 


ooodgs3 
S ROHS 
BREOHH 


If b= n,p =m, the instantiation of b;p = p;b = (b > 0);p = p;(b > 0) 
becomes 
nm=m ns (n> 0);m=m;(n > 0) 


Thus, the expression turns into 0 = n & 0 = 0, which is clearly false. 
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Lemma 5 Implications (1) = (3) and (2) => (3) hold in GKAT. 


Proof: Both implications arise by commutativity and the fact that 
a; (a + 0) = 0, for all ae T. 


Lemma 6 Implication (3) => (1) does not hold in GKAT. 


Proof: This can be shown by the following counter example: a GK AT over 
the set {0,n,m,1}, with {0,n,1} C T and m€ K, in which the operator * 
maps all points to the top element 1 and the remaining operators are defined 
as follows: 


RR SO4 
PR3saqo 
R33 3/5 
re re 
ooodo 
sooo s3 
SBS O8 
BP330r 


BPS33/3 


Gos Ho 
Ss ORK S 
ooogds 
FPOrRHH 


If b=n,p =™, the instantiation of b; p;(b > 0) + (b> 0);p;b =0 > bsp = 
p;b becomes 0 = 0 > n = 0 which is obviously false. 


Lemma 7 Implication (3) = (2) does not hold in GKAT. 


Proof: | Consequence of Lemma 4 and Lemma 5. 

The intuitive interpretation of these implications is that if p preserves b 
(or b + 0), the execution of p between testing b and its complement, no 
matter which test is performed first, always halt. A similar result holds for 
I-GKAT and is proved along similar lines. 

We can therefore argue that this dependency on commutativity con- 
ditions becomes a hindrance for proving most of the results on program 
equivalence that we intend: it is impossible to handle such proofs in a 
(quasi) equational way without considering them. However, the result that 
is, perhaps, the most interesting one, of denesting two nested while loops, 
does not resort to the commutativity conditions. Let us detail this example. 
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5.1 Nested Loops 


The original proof in the above mentioned paper [22] relies on one of De Mor- 
gan laws to prove the intended result. More precisely, the proof uses the rule 


a(a Vb) = 7a A -7b 
that can be formalised in our setting as 
(a+b) > 0= (a0); (b> 0) (29) 


Since, in general, this rule does not hold in LGKAT, we have to impose it 
in the following characterisation. Note that the rule holds in all instances of 
I-GKAT enumerated in the paper, namely 1, 2, 3 and 6. 

We are now in conditions to show that a pair of while loops can be 
transformed into a single while loop inside a conditional test, as formalised 
in the following theorem: 


Theorem 7 The program 


while b do begin 


P; 
while c do q (30) 
end 
is equivalent to 
if b then begin 
P; 
while b+c do (31) 


if c then q else p 


end 
in I-GKAT extended with (29). 


Proof: The proof uses an analogous reasoning of the one presented in [22]. 
To prove the equivalence, we need the following identities: 

Pi(Gp)” = (p4)"sP (32) 

Ps(ap)” = (pt+q)" (33) 
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which are derivable from the axioms of Kleene algebra and were proved 
in [21]. 

In order to prove the equivalence (30)<(31), let us start by translating 
both programs to the language of Kleene algebra. Program (30) becomes 


(b; p; (G 4)"; (e + 0))*; (b > 0), (34) 
and (31) becomes* 


b; p; ((b + c); (c;q + (ec > 0); p))*; ((b + c) + 0) + (b > 0) (35) 


Simplifying (34), 


(8; p; (¢; @)"; (e 4 0))*; (6 4 0) 
{ (8)} 
(1 + b; p; (c; @)*; (e > 0); (0; p; (G; @)*; (ec > 0))*); (b > 0) 
{ (6)} 
(o> 0) bpp te)" 6 0); (bmi epg)"; (oe 0)" (0 => 0) 
= { (32)} 
(b — 0) + 8; p; (5 ¢)*; (e + 0); (0; p; (G @)*)*; (ce > 0); (6 > 0) 


For (35), the sub expression (b + c);(c;q + (c > 0); p) becomes 
(b+¢); (Gq + (c > 0);p) 
= { (5)} 
bc;qt+b;(c> 0); p+acgqte(e0);p 
= { (22), a; (a 0) = 0, (7) and (15)} 


bog+b; (c+ 0)jpt+eg 
= { (14) and (13)} 

beg +c.q+ {e+ 0); bp 
= { (6)} 

(O+1);G9+ (6 0); b)p 


Moreover, (b +c) > 0 = (b > 0);(c > 0), by (29). Applying these 
transformations on (35), we obtain 


“As in Kozen’s paper [22], we interpret the program if b then p as an_abbreviation for 
a conditional test with the dummy else clause i.e., as the program b;p+ b (b;p +b — 0 in 
our setting). 
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bmige Hie] Op) Oo = 0) te 0) +> 0) 


Now, we need to prove that 


(b — 0) + 8; p; (6; 4)"; (¢ 4 9); (8; B; (G@)")"; (e > 0); (b 4 0) = 
= b;p; (c;q + (c > 0); bs p)*; (6 > 0); (ec > 0) + (6 > 0) 


But, by monotonicity of operators + and ;, this expression is equivalent to 


(eq e=-0) (plea) = tags (ee 0) apy 


which is just an instance of the denesting rule (33). 


6 Conclusion and Further Work 


This paper aimed at generalising Kleene algebra with tests, to reason equa- 
tionally about graded computations and assertions about them evaluated in 
a multi-valued truth space. The propositional fragment of classic Hoare logic 
was revisited in this context. We also presented four algebraic constructions 
as models of both generalizations of Kleene algebras introduced in the paper 
(GKAT and I-GKAT): the set of all fuzzy sets, the set of all fuzzy relations, 
the set of all fuzzy languages and the family of square matrices. Finally, 
we discussed (quasi) equational proofs of some classical results on program 
equivalence in a weighted context. 

A similar roadmap is followed by R. Qiao et al. [30] leading to the 
introduction of a complete theory of probabilistic KAT to deal with regular 
programs with probabilities. However, instead of focusing on broadening the 
possible range of values for tests, or on adding an uncertainty concretisation 
to them as an immediate consequence on program execution, the authors 
opted to add a new operator +, to the algebraic structure, where a is a 
probability. Thus, in their work, a probabilistic Kleene algebra with Tests is 
defined as 

(K,T,+,+0,:,°,0,1,7) 


where expression p+, q represents the probabilistic choice between executing 
a program p with probability a or a program q with probability 1 — a. 
Other references [6, 25] follow a similar approach introducing probabilities 
at the syntactic level, namely through a new choice operator. Our approach, 
on the other hand, opted by redefining the notions of test and program 
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execution. Such approach, which describes the behaviour of the probabilistic 
phenomena, always enforces the production of an outcome (as expressed by 
the requirement that the outgoing probabilities always sum 1). Such is not 
the case in the framework adopted in this paper. 


The idempotent variant presented in our work is related with the one 
based on Heyting domain semirings [10], obtained by relaxing the test algebra 
of Kleene algebras with domain. One difference between this structure and 
our approach lies on the construction of the structure itself: while ours is 
purely propositional and based on KAT, the one of [10] makes use of a unary 
operator, the domain operator, to axiomatise the test algebra, resulting in 
a one sorted structure. The relaxation of the test algebra is accomplished 
by adding an operator on domain elements satisfying (11), with a negation 
defined as p > 0. It would be pertinent to do a more detailed analysis about 
the set of properties that can be derived for each structure. Moreover, the 
authors in [10] point for future work a more in depth exploration of possible 
applications and directions that the flexibility of the adopted method can 
bring. The formalisation and the proof of the soundness of the Hoare logic 
deductive system using the structure based on Heyting domain semirings, 
by comparing with the our approach, seems also an appropriate discussion 
to be made in future work. Additionally, a more recent work [7] investigates 
a generalisation of these domain algebras to support fuzzy relations, taken 
as functions from pairs of elements to the interval [0, 1]. Different from our 
approach, the authors study an axiomatisation of domain and codomain 
operators in the setting of idempotent left semirings, which do not require 
left distributivity of multiplication over addition and right annihilation 
of 0. Note that we started this work by adopting a presentation similar 
to KAT when relaxing its Boolean subalgebra to obtain GKAT and I- 
GKAT. In order present a clearer comparison between these structures, 
either axiomatically and in terms of obtained results, we follow the same 
propositional presentation, based on KAT. 


The approach taken in this paper, adding a residual as a logical implica- 
tion to capture a multi-valued setting, is based on previous work [24], where 
an action lattice is adopted as the basic algebraic structure to generate many- 
valued dynamic logics. Originally derived from action algebras [20], an action 
lattice entails both a generic space of computations, with choice, composition 
and iteration, and, supported by residuation, a proper truth space for a 
non bivalent interpretation of assertions (as a residuated lattice). V. Pratt 
thought about residuation as a pure technicality to obtain a finitely-based 
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equational variety [28]. Subsequently, the work of D. Kozen [20] extended 
this notion by adding and axiomatizing a meet operation, in order to recover 
the closure under matricial formation typical of Kleene algebra [4]. 


The attentive reader may wonder why concrete illustrations of the 
proposed formalism seem to be lacking. Note, however, that programs are 
interpreted here as weighted relations and tests as truth degrees. Hence, as 
it happens in propositional Hoare logic derived from standard KAT, there is 
no first-order structure to interpret program variables. Consequently, there 
is no assignment rule neither for GPHL nor for HPHL, as presented here. 
Extending the formalism in this direction, in order to deal with imperative 
fuzzy programs is, naturally, in our agenda. 


Fuzzy Arden Syntax (FAS) [33] is a fuzzy programming language de- 
signed for the medical domain, which extends Arden Syntax (AS) to cater 
for vague or uncertain information often arising in clinical situations. Due to 
the intuitiveness of its syntax, very close to natural language, AS and FAS 
are commonly used as syntax for knowledge base components in medical 
decision support systems [32, 2, 31]. 


Built on the theory of fuzzy sets [37], data types in FAS have been 
generalised to represent truth values between the extremes false and true. 
Moreover, the operations on these types were generalised accordingly. A 
particular consequence that emerges from the nature of these generalisations 
concerns the behaviour of conditional statements: while conditions evaluated 
in a bivalent truth space entails the execution of only one branch, in FAS 
an if — then — else statement may split. In such cases the variables are 
duplicated and both branches are executed in parallel, each with an associated 
truth degree. The notion of parallelism inherent to these statements leads 
us to rethink the behaviour of PHL variants introduced in this work: the 
conditional statements encoded in sections 2 and 3 illustrate non deterministic 
choice, despite the possible weighted nature of both computations and 
conditions. Indeed, the + operator of Kleene algebra, used to encode 
the if — then — else statements in both GKAT and LGKAT could be 
interpreted as (fuzzy) set union in all the examples listed. 


Conditionals in FAS are an interesting case-study for the development 
of an algebraic formalism to specify the behaviour of conditional statements 
in fuzzy programming languages. For that an extension of the algebras 
presented in this work, with an appropriate operator to formalize parallelism, 
is currently being developed by the authors. In this setting, the works on 
Concurrent Kleene algebra [18] and Synchronous Kleene algebra [29] are 
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worth revisiting. 

The results reported in Section 5 lead us to discuss further why some 
properties fail in GKAT. In particular, why the preservation of the value 
of b along a computation p entails the corresponding preservation of b does 
not hold in either GKAT or I-GKAT, as it does in KAT. We observed, in 
Section 2, that the negation operator must be relaxed in order to support a 
non bivalent truth space for assertions. Actually, this has influence on the 
validity of the properties in which it is involved. With this modification, 
some classical properties are lost. In particular, the law of excluded middle, 
necessary to prove the discussed implications, is no longer valid. 

In all variants of dynamic logic discussed in the literature, even when 
some forms of structured computations are taken into consideration, the 
validity of assertions (for example, of Hoare triples annotating a program) is 
always stated in classical terms. This means that, even when the object of 
reasoning is e.g. a fuzzy program or a quantum system, the validity of an 
assertion over it is discussed in classical, two-valued logic. 

In this work we assumed, as in classical PHL, that a Hoare triple is valid 
if b;p = b;p;c. In GKAT, this expression states that, after the execution 
of p guarded by the truth degree of condition b, a state is reached where 
the truth degree of the post condition does not modify the value of the 
execution. In I-GKAT, for the case considered in example 2, the variation 
from the classical case comes when b = u. Thus, the expression b;p can 
be interpreted as “not sure if program p can be executed”. Due to the 
nature of the expression (an equality relation), this is clearly tied to the 
classical, two-valued logic: despite the graded nature of the computations, 
their correctness is evaluated in a bivalent truth space. 

This limitation motivates an alternative approach currently under inves- 
tigation. The intention is to go a step further, resorting to the same algebraic 
structure used to specify the computational paradigm, to give semantics to 
the logic used to reason about it. This will allow to discuss the validity of an 
assertion over a fuzzy or a quantum program in terms of a logic capturing 
itself fuzzy or quantum reasoning, respectively. 
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